I am currently working on a project that will collect a lot of customer sensitive data. DOB, SSN, credit history, and other personal data.

This data is all used by a website which generates documents in PDF form which contains the personal data. Obviously if the customers' usernames and passwords are compromised their individual information is at risk, but what can I do to protect the database from being compromised?

Should I be encrypting the pdf documents and other information in the database? Will that cause significant performance problems as the number of users scale up?

Is it enough to keep the database server on a private network which the public web server accesses?

one thing to remember is that if the webserver is compromised, the attacker will most likely have all the same access the webserver user (ie. www-data) had (or more), hence, they would be able to read config files with database passwords, and access the mysql server wherever it is located.
–
Brent May 20 '09 at 21:13

You should certainly have the database behind a firewall, only accessible to the web server. Why expose it more than is needed?

As for encryption... that would be good as long as your access requirements don't make it useless. Ideally you could store the SQL data encrypted to a key you know, and any produced documents would be encrypted to the client's key.